Payday lenders are asking applicants to share their myGov login details, as well as their internet banking password — posing a security risk, according to some experts.

It also goes against the advice of the government website.

As spotted by Twitter user Daniel Rose, the pawnbroker and loan provider Cash Converters requires people receiving Centrelink benefits to provide their myGov access details as part of its online approval process.

A Cash Converters spokesperson said the company gets data from myGov, the government's tax, health and entitlements portal, via a platform provided by the Australian financial technology firm Proviso.

This occurs online, and computer terminals are also provided in-store.

Luke Howes, CEO of Proviso, said "a snapshot" of the most recent 90 days of Centrelink transactions and payments is collected, along with a PDF of the Centrelink income statement.

Some myGov users have two-factor authentication turned on, which means they must enter a code sent to their mobile phone to log in, but Proviso prompts the user to enter the digits into its own system.

This lets a Centrelink applicant's recent benefit entitlements be included in their bid for a loan. This is legally required, but does not need to occur online.

Keeping data safe

A Department of Human Services spokesperson said users should not share their myGov credentials with anyone.

"Anyone who is concerned they may have provided their username and password to a third party should change their password immediately," she added.

Disclosing myGov login details to any third party is unsafe, according to Justin Warren, chief analyst and managing director of IT consultancy firm PivotNine.

Especially given it is the home of My Health Record, Child Support and other highly sensitive services.

Nigel Phair, director of the Centre for Internet Safety at the University of Canberra, also advised against it.

A Cash Converters spokesperson claimed it does not store customer myGov or online banking login details.

Proviso's Mr Howes said Cash Converters uses his company's "one time only" retrieval service for bank statements and MyGov data.

The platform does not store any user credentials

"It needs to be treated with the highest sensitivity, whether it's banking records or it's government records, and that's why we only retrieve the data that we tell the user we're going to retrieve," he said.

Still, Mr Phair advised that users should not give out usernames and passwords for any portal.

"Once you've given it away, you don't know who has access to it, and the fact is, we reuse passwords across multiple logins."

A safer way

Kathryn Wilkes is on Centrelink benefits and said she has received loans from Cash Converters, which provided financial support when she needed it.

She acknowledged the risks of disclosing her credentials, but added, "You don't know where your information is going anywhere on the net.

"As long as it's an encrypted, secure system, it's no different than a working person going in and applying for a loan from a finance company — you still provide all your details."

Critics, however, argue that the privacy risks raised by these online loan application processes affect some of Australia's most vulnerable groups.

Mr Warren said this could all change if the banks made it easier to safely share consumer data.

"If the bank did provide an e-payments API where you could have secured, delegated, read-only access to the [bank] account for 90 days-worth of transaction details … that would be great," he said.

Mr Howes agreed, adding that this is something the financial technology industry is working towards.